Hi Mathieu, Am Donnerstag, 21. Februar 2019, 22:19:34 CET schrieb Mathieu Parent: > I'm working on AppArmor/Samba integration in Samba and integrated you' > "update-apparmor-samba-profile" script.
I'm happy to hear that :-)
> I've taken version 1.1, but it silently exists with:
>
> grep -q '^/usr/sbin/smbd (' /sys/kernel/security/apparmor/profiles
> || \ silentexit "smbd profile not loaded"
>
> I don't have the complete path but the profile name in this file:
>
> $ sudo cat /sys/kernel/security/apparmor/profiles | grep smbd
> smbd (enforce)
>
> I don't know much about Apparmor, is this a bug in the script or a
> behavior difference under Debian?
It's a new/changed behaviour of latest upstream AppArmor, and I have to
admit that I completely forgot that this script will need to be adjusted.
Historically, the profiles used the attachment (= path of the binary,
"/usr/sbin/smbd" in this case) as the profile name. This also means that
the profile name changes if you extend the profile to attach to
"/usr/{bin,sbin}/smbd" (which is needed for distributions with merged
/usr/bin/ and /usr/sbin/)
Latest AppArmor switched to using profile names ("smbd") instead, which
makes this easier (and keeps the profile name short and readable).
The switch causes a one-time pain, but ensures that future attachment
changes (like the {bin,sbin} alternation) won't cause additional pain.
Both Debian and openSUSE will have to adjust the
update-apparmor-samba-profile script - for backward compability, the
best way is to grep for both names:
grep '^smbd (\|^/usr/sbin/smbd (' /sys/kernel/security/apparmor/profiles
|| \
silentexit "smbd profile not loaded"
Oh, BTW - thanks for accidently ;-) reporting this openSUSE bug!
I forwarded it to our Samba maintainers in
https://bugzilla.opensuse.org/show_bug.cgi?id=1126377
Please grab the patch from this bugreport to ensure that the Debian and
openSUSE scripts stay in sync.
Regards,
Christian Boltz
--
I am not a Dictator, I can think of no example where I've ordered
anyone to do anything. And I would expect people to stare at me funny
and tell me 'no', if I tried. [Richard Brown in opensuse-project]
signature.asc
Description: This is a digitally signed message part.
